Fixes #10719: Prevent user without sufficient permission from creating an IP address via FHRP group creation

2024-05-10 07:54:54 +00:00 · 2022-10-26 08:44:20 -04:00
parent 2a62b628cf
commit 7b3ef2ade5
3 changed files with 9 additions and 1 deletions
--- a/netbox/ipam/forms/models.py
+++ b/netbox/ipam/forms/models.py
@@ -552,6 +552,7 @@ class FHRPGroupForm(NetBoxModelForm):

    def save(self, *args, **kwargs):
        instance = super().save(*args, **kwargs)
+        user = getattr(instance, '_user', None)  # Set under FHRPGroupEditView.alter_object()

        # Check if we need to create a new IPAddress for the group
        if self.cleaned_data.get('ip_address'):
@@ -565,7 +566,7 @@ class FHRPGroupForm(NetBoxModelForm):
            ipaddress.save()

            # Check that the new IPAddress conforms with any assigned object-level permissions
-            if not IPAddress.objects.filter(pk=ipaddress.pk).first():
+            if not IPAddress.objects.restrict(user, 'add').filter(pk=ipaddress.pk).first():
                raise PermissionsViolation()

        return instance
--- a/netbox/ipam/views.py
+++ b/netbox/ipam/views.py
@@ -930,6 +930,12 @@ class FHRPGroupEditView(generic.ObjectEditView):

        return return_url

+    def alter_object(self, obj, request, url_args, url_kwargs):
+        # Workaround to solve #10719. Capture the current user on the FHRPGroup instance so that
+        # we can evaluate permissions during the creation of a new IPAddress within the form.
+        obj._user = request.user
+        return obj
+

 class FHRPGroupDeleteView(generic.ObjectDeleteView):
    queryset = FHRPGroup.objects.all()